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^~H Abstract. We characterize the complexity of the safety verification problem 

^^ for parameterized systems consisting of a leader process and arbitrarily many 

^^ anonymous and identical contributors. Processes communicate through a shared, 

?-H bounded-value register. While each operation on the register is atomic, there is 

»~^ no synchronization primitive to execute a sequence of operations atomically. 

■^^ We analyze the complexity of the safety verification problem when processes are 

_-^^ modeled by finite-state machines, pushdown machines, and Turing machines. The 

problem is coNP-complete when all processes are finite-state machines, and is 

I I PSPACE-complete when they are pushdown machines. The complexity remains 

{~^ coNP-complete when each Turing machine is allowed boundedly many interac- 

1 tions with the register. Our proofs use combinatorial characterizations of compu- 

• tations in the model, and in case of pushdown-systems, some language-theoretic 

. N constructions of independent interest. 

^ 1 Introduction 

> 

QQ We conduct a systematic study of the complexity of safety verification for parameter- 

T-H ized asynchronous shared-memory systems. These systems consist of a leader process 

^-H and arbitrarily many identical contributors, processes with no identity, running at arbi- 

■^ trarily relative speeds and subject to faults (a process can crash). The shared-memory 

C^ consists of a read/write register that all processes can access to perform either a read op- 

CO eration or a write operation. The register is bounded: the set of values that can be stored 

". . is finite. We do insist that read/write operations execute atomically but sequences of op- 

I> erations do not: no process can conduct an atomic sequence of reads and writes while 

'k> excluding all other processes. The parameterized verification problem for these systems 

\^ asks to check if a safety property holds no matter how many contributors are present. 

Cd Our model subsumes the case in which all processes are identical by having the leader 

process behave like yet another contributor. The presence of a distinguished leader adds 
(strict) generality to the problem. 

We analyze the complexity of the safety verification problem when leader and con- 
tributors are modeled by finite state machines, pushdown machines, and even Turing 
machines. Using combinatorial properties of the model that allow simulating arbitrarily 
many contributors using finitely many ones, we show that if leader and contributors are 
finite-state machines the problem is coNP -complete. The case in which leader and con- 
tributors are pushdown machines was first considered by Hague [17], who gave a coNP 
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lower bound and a 2EXPTIME upper bound. We close the gap and prove that the prob- 
lem is PSPACE-complete. Our upper bound requires several novel language-theoretic 
constructions on bounded-index approximations of context-free languages. Finally, we 
address the bounded safety problem, i.e., deciding if no error can be reached by com- 
putations in which no contributor nor the leader execute more than a given number k of 
steps (this does not bound the length of the computation, since the number of contribu- 
tors is unbounded). We show that (if k is given in unary) the problem is coNP-complete 
not only for pushdown machines, but also for arbitrary Turing machines. Thus, the 
safety verification problem when the leader and contributors are poly-time Turing ma- 
chines is also coNP-complete. 

These results show that non-atomicity substantially reduces the complexity of ver- 
ification. In the atomic case, contributors can ensure that they are the only ones that 
receive a message: the first contributor that reads the message from the store can also 
erase it within the same atomic action. This allows the leader to distribute identities 
to contributors. As a consequence, the safety problem is at least PSPACE-hard for state 
machines, and undecidable for pushdown machines (in the atomic case, the safety prob- 
lem of two pushdown machines is already undecidable). A similar argument shows that 
the bounded safety problem is PSPACE-hard. In contrast, we get several coNP upper 
bounds, which opens the way to the application of SAT-solving or SMT-techniques. 

Besides intellectual curiosity, our work on this model is motivated by practical dis- 
tributed protocols implemented on wireless sensor networks. In these systems, a cen- 
tral co-ordinator (the base station) communicates with an arbitrary number of mass- 
produced tiny agents (or motes) that run concurrently and asynchronously. The motes 
have limited computational power, and for some systems such as vehicular networks 
anonymity is a requirement [20]. Further, they are susceptible to crash faults. Imple- 
menting atomic communication primitives in this setting is expensive and can be prob- 
lematic: for instance, a process might crash while holding a lock. Thus, protocols in 
these systems work asynchronously and without synchronization primitives. Our algo- 
rithms provide the foundations for safety verification of these systems. 

Related Works. Parameterized verification problems have been extensively studied both 
theoretically and practically. It is a computationally hard problem: the reachability prob- 
lem is undecidable even if each process has a finite state space [2]. For this reason, 
special cases have been extensively studied. They vary according to the main char- 
acteristics of the systems to verify like the communication topology of the processes 
(array, tree, unordered, etc); their communication primitives (shared memory, unreli- 
able broadcasts, (lossy) queues, etc); or whether processes can distinguish from each 
other (using ids, a distinguished process, etc). Prominent examples include broadcast 
protocols [12,14,9,8], where finite-state processes communicate via broadcast mes- 
sages, asynchronous programs [15,24], where finite-state processes communicate via 
unordered channels, finite-state processes communicating via ordered channels [1], mi- 
cro architectures [21], cache coherence protocols [10,6], communication protocols [11], 
multithreaded shared-memory programs [5,7,19,23]. 

Besides the model of Hague [17], the closest model to ours that has been previously 
studied [16] is that of distributed computing with identity-free, asynchronous proces- 
sors and non-atomic registers. The emphasis there was the development of distributed 



algorithm primitives such as time-stamping, snapshots, and consensus, using either un- 
bounded registers or an unbounded number of bounded registers. 

It was left open if these primitives can be implemented using a bounded number of 
bounded registers. Our decidability results indicate that this is not possible: the safety 
verification problem would be undecidable if such primitives could be implemented. 



2 Formal Model: Non- Atomic Networks 

We describe our formal model, called non-atomic networks. We take a language- 
theoretic view, identifying a system with the language of its executions. 

Preliminaries. A labeled transition system (LTS) is a quadruple T = (X, Q, 6, qo), where 
2" is a finite set of action labels, Q is a (non necessarily finite) set of states, qo e Qis the 
initial state, and (5 C QxXU {A]x Qis the transition relation, where /I is a silent action 
not in X. We write q — >q' for (q, a, q') e S. We write q — iq' if there exist qi, . . . ,q„ e Q 
andflo^ ■■.,«„€ EiJ\A}, q — iq\ — >^2 ' ' ' <in — ><? such that oq ■ ■ ■«„ = cr. The sequence 
q ■ ■:_q' is called a path and cr its label. A trace of 7" is a sequence cr e Z* such that 
qo — >? for some q € Q and cr e {£ U {A})* whose projection onto 2" is equal to cr. 
Define L(T), the language of T, as the set of traces of T. Note that L(T) is prefix 
closed: L(T) = Pref(L(T)) where Pref(L) ^ {s \3u: su e L). 

To model concurrent executions of LTSs, we introduce two operations on languages: 
the shuffle and the asynchronous product. The shuffle of two words x,y e X* is the 
language xlUy — {xiyi . . . x„>'„ e X* \ each x,-, y,- e 2"* and x — xi ■ ■ ■ x„ A y — yi ■ ■ -yn}. 
The shuffle of two languages Li , L2 is the language Li UJ L2 = UAeLi,veL2-*^ ^ y- Shuffle 
is associative, and so we can write Li LLI ■ ■ ■ UJ L„ or LLl"^jL;. 

The asynchronous product of two languages Li c U* and L2 Q E^, denoted L\ \\ L2, 
is the language L over the alphabet 2" = 2*1 U 2*2 such that w e L iff the projections 
of w to Xi and 2*2 belong to Li and L2, respectively. ' If a language consists of a single 
word, e.g. Li - {vvi), we abuse notation and write wi \\ L2. Asynchronous product is 
also associative, and so we write Li || • • • || L„ or ||"^j L,-. 

Let T\,...,Tn be LTSs, where Ti - (£i,Qi,6i,qoi). The interleaving UJjLjTl- is 
the LTS with actions (J"^j 2',-, set of states Qi X ■ ■ • X Q„, initial state (^01, ■ • ■ , qon), 
and a transition (qi, . . . , q„) — >{q'^ , . . . , q'^) iff (qi, a, q'^) G 5, for some \ < i < n and 
qj - q': for every j + i. Interleaving models parallel composition of LTSs that do not 
communicate at all. The language L(7"i UJ ■ ■ ■ UJ 7"„) of the interleaving is LLl"^jL(7^). 

The asynchronous parallel composition ||"^j Ti of Ti, ... ,T„ is the LTS having 
U"^j 2"; as set of actions, 2i x • • • x g„ as set of states, ((701 , ■ ■ • , qon) as initial state, and 
a transition {q\,..., q„) — >(g'[, . . . , ^^) if and only if 

1. a ^ A and for all 1 < ; < « either a i 2', and qi = q'^ or a e 2', and (qi, a, q'.) e 5i, or; 

2. a - A, and there is 1 < i < n such that (qj. A, q') e dj and qj = q'. for every j + i. 
Asynchronous parallel composition models the parallel composition of LTSs in which 
an action a must be simultaneously executed by every LTSs having a in its alphabet. 
IXT\ II ■ ■ ■ II Tn), the language of the asynchronous parallel composition, is ||"^j L(Ti). 



' Observe that the Li || L2 depends on Li, L2 and also their underlying alphabet iTi and 22- 



Non-atomic networks. We fix a finite non-empty set @ of global values. A read-write 
alphabet is any set of the form Ax Q, where A is a set of read and write actions, or 
just reads and writes. We denote a letter {a,g) e AxQ by a{g), and write Q{ai, . . . , a„) 
instead of {ai, . . . ,a„} xQ. 

In what follows, we consider LTSs over read-write alphabets. We fix two LTSs £) 
and C, called the leader and the contributor, with alphabets @{rd, wj) and @{rc, Wc), 
respectively, where r^, r^ are called reads and Wc, Wd are called writes. We write w* 
(respectively, r*) to stand for either Wc or Wd (respectively, r^ or r^). We also assume 
that for each value g & @ there is a transition in the leader or contributor which reads or 
writes g (if not, the value is never used and is removed from Q). 

Additionally, we fix an LTS S called a store, whose states are the global values of ^ 
and whose transitions, labeled with the read-write alphabet, represent possible changes 
to the global values on reads and writes. No read is enabled initially. Formally, the store 
is a LTS S^(E,gyj {g()),6s, go), where Z = g{rd, Wd, re, Wc),ga is a designated initial 
value not in Q, and 5s is the set of transitions g — >g and g' — > g for aW g e Q and all 
g' e Qyj [go) . Observe that fixing O and C also fixes S. 

Definition 1. Given a pair (D,C) of a leader D and contributor C, and k > I, define 
Nk to be the LTS D \\ S \\ lUkC, where lUtC is LiJ*,iC. The (non-atomic) (£), C)-network 
N is the set {Nk \k> 1), with language L(N) - \JkLi L(Nk)- We omit the prefix (D,C) 
when it is clear from the context. 

Notice that L(Nk) = L(D) || L(S) || LiJ*L(C) and L(N) = L(D) || L(S) || LiJooL(C), 
where UJoo^C) is given by [J^j lUkUC). 

The safety verification problem. A trace of a (D, C)-network N is unsafe if it ends 
with an occurrence of Wc(#), where # is a special value of Q. Intuitively, an occurrence 
of Wc{#) models that the contributor raises a flag because some error has occurred. A 
(D, C)-network N is safe iff its language contains no unsafe trace, namely L{N) n 
E*Wc{#) - 0. (We could also require the leader to write #, or to reach a certain state; all 
these conditions are easily shown equivalent.) 

Given a machine M having a LTS semantics over some read-write alphabet, we de- 
note its LTS by JM] . Given machines Mo and Mc over read-write alphabets. The safety 
verification problem for machines Mo and Mc consists of deciding if the ( \Mo\ , \Mc\)- 
network is safe. Notice that the size of the input is the size of the machines, and not the 
size of the LTSs thereof, which might even be infinite. 

Our goal is to characterize the complexity of the safety verification problem consid- 
ering various types of machines for the leader and the contributors. We first establish 
some fundamental combinatorial properties of non-atomic networks. 



3 Simulation and Monotonicity 

We prove two fundamental combinatorial properties of non-atomic networks: the Simu- 
lation and Monotonicity Lemmas. Informally, the Simulation Lemma states that a leader 
cannot distinguish an unbounded number of contributors from the parallel composition 
of at most \0\ simulators — LTSs derivable from the contributors, one for each value 



of 0. The Monotonicity Lemma states that non-minimal traces (with respect to a cer- 
tain subword order) can be removed from a simulator without the leader "noticing", 
and, symmetrically, non-maximal traces can be removed from the leader without the 
simulators "noticing". 

3.1 Simulation 

First writes and useless writes. Let cr be a trace. Iht first write of g in cr by a contributor 
is the first occurrence of wdg) in cr. A useless write of g by a contributor is any occur- 
rence of Wcig) that is immediately overwritten by another write. For technical reasons, 
we additionally assume that useless writes are not first writes. 

Example 1. In a network trace Wd{g\)\Wc{g2)2Wc{g3h rd{g?,)4Wc{gi)5Wc{g\)6 where 
we have numbered occurrences, wdgi)! is a first write of g2, and Wcigi)^ is a useless 
write of g2 (even though Wc{g2)2 is immediately overwritten). 

We make first writes and useless writes explicit by adding two new actions /^ and u^ to 
our LTSs, and adequately adapting the store. 

Definition 2. The extension of a LTS T - {@{r, w), Q, 5, qo) is the LTS 

T^ = (0{r,w,f,u), Q,6^,qo), where f,u are the first write and useless write actions, 
respectively, and 

S^^6U {(q,f(g), q'\ (q, u(g), q') \ (q, w(g), q') € 6} . 

We define an extended store, whose states are triples (g, W, b), where g e Q, 
W: — > {0, 1) is the write record, and b e {0, 1) is the useless flag. Intuitively, W 
records the values written by the contributors so far. If W{g) = 0, then a write to g must 
be a first write, and otherwise a regular write or a useless write. The useless flag is set 
to 1 by a useless write, and to by other writes. When set to 1, the flag prevents the oc- 
currence of a read. The flag only ensures that between a useless write and the following 
write no read happens, i.e., that a write tagged as useless will indeed be semantically 
useless. A regular or first write may be semantically useless or not. 

Definition 3. The extended store is the LTS S^ - (Ue, 0e^ Sse,co) where 

- ^E= @{ra, Wd, re, Wcfc, Me); 

- ^E is the set of triples (g, W, b), where g e 0U{go}, W : ^ -> {0, 1 ), and b e {0,1 }; 

- Co is the triple (go. Wo, 0), where Wo(g) - Ofor every g e 0; 

- 6sE has a transition (g,W,b) — >(g' ,W' ,b') where g' E @ iff one of the following 
conditions hold: 

• a — r^^ig), g' - g,W — W, and b - b' - 0; 

• a - Wdig'), W -W and b' - 0; 

• a ^fc(g'), W(g') = 0, W = W[W(g')/l], andb' = 0; 

• fl = Wc(g'), W(g') = 1, W = W, and b' = 0; 

• fl = u,.(g'), W(g') = 1, W = W, andb' = L 

The extension of Nk is N^ — D || S^ || U-itC^ and the extension of N is the set 
N^ - {Nf \k> 1). The languages T{Nf) and L(N^) are defined as in Def 1. 



It follows immediately from this definition that if v e L{N^) then the sequence v' 
obtained of replacing every occurrence of fc{g),Uc{g) in v by wdg) belongs to L{N). 
Conversely, every trace v' of L{N) can be transformed into a trace v of L(N^) by ade- 
quately replacing some occurrences of wdg) ^yfdg) or udg). 

In the sequel, we use sequences of first writes to partition sets of traces. Define T to 
be the (finite) set of sequences over 0(fc) with no repetitions. By the very idea of "first 
writes" no sequence of T writes the same value twice, hence no word in T is longer than 
\0\. Also define T# to be those words of T which ends with/c(#). Given t e T, define 
Pt to be the language given by (iTg \ Qifc))* Lll t. Pj contains all the sequences over Ze 
in which the subsequence of first writes is exactly t. For S QT, Ps - \Ja-es Pa-- 
The Copycat Lemma. Intuitively, a copycat contributor is one that follows another con- 
tributor in all its actions: it reads or writes the same value immediately after the other 
reads or writes. Informally, the copycat lemma states that any trace of a non-atomic 
network can be extended with copycat contributors. 

Consider first the non-extended case. Clearly, for every trace of Nk there is a trace of 
Nk+\ in which the leader and the first k contributors behave as before, and the {k + l)-th 
contributor behaves as a copycat of one of the first k contributors, say the /-th: if the /-th 
contributor executes a read rdg), then the {k + l)-th contributor executes the same read 
immediately after, and the same for a write. 

Example 2. Consider the trace rc{go)Wd{g\)rc{gi)Wc{g2) of D || >S || C. Then the se- 
quence rdgaf Wd(gi) rdgif wdgif is a trace ofD\\S \\ (C LU C). 

For the case of extended networks, a similar result holds, but the copycat copies 
a first write by a regular write: if the /-th contributor executes an action other than 
fcig), the copycat contributor executes the same action immediately after, but if the /-th 
contributor executes/c(g), then the copycat executes wdg). 

Definition 4. We say u e 0{rd,WdT is compatible with a multiset M - {vi,...,Vk] 
of words over @(fc, Wc, Uc, re) (possibly containing multiple copies of a word) iff 
u II L(S^) II LU^LiV; i^ 0. Let t e Y. We say u is compatible with M following t iff 



P,n(M||L(5^)||mt,v,)^0- 



Lemma 1. Let u e Q^r^, Wd)* and let M be a multiset of words over Qircfc, Wc, Uc). Ifu 
is compatible with M, then u is compatible with every M' obtained by erasing symbols 
from 0{rc) and 0{uc) from the words of M. 

Proof. Erasing reads and useless writes (that no one reads) by contributors does not 
affect the sequence of values written to the store and read by someone, hence compati- 
bility is preserved. D 

Lemma 2 (Copycat Lemma). Let u e @{rd, Wd)*, let M be a multiset over L(C^) and 
let v' e M. Given a prefix v of v' we have that if u is compatible with M, then u is 
compatible with M © v\fc{g)lwc{g)].^ 



^ Throughout the paper, we use { j, ®, 9, and > for the multiset constructor, union, difference and 
inclusion, respectively. The word w[alb\ results from w by replacing all occurrences of a by b. 



Example 3. r^igi) is compatible withfc(gi)fcig2)- By the Copycat Lemma r^igi) is also 
compatible with {fc(gi)fc(g2), wdgi) wdgi))- Indeed,/c(§i) wdgi) rd(gi)fc(g2) wdgi) G 
L(S^) is a trace (even though /c(g2) is useless). 

The Simulation Lemma. The simulation lemma states that we can replace unboundedly 
many contributors by a finite number of LTSs that "simulate" them. In particular the 
network is safe iff its simulation is safe. 

Let V e -L(C^). Let #v be the number of times that actions of 0(fc, Wc) occur in v, 
minus one if the last action of v belongs to §{fc, Wc). E.g., #v - 1 f or v = fc(gi)fc(g\) 
but #v = for V = rc(g\)fc{gi). The next lemma is at the core of the simulation theorem. 

Lemma 3. Let u e L(D) and let M — {vi, . . . , v^) be a multiset over L(C^) compatible 
with u. Then u is compatible with a multiset M over L(C^) fi 0irc, Uc)* Qifc, Wc)- 

Proof. Since u is compatible with M,u\\ L(S^) \\ UJ^^jV,- ^^ 0. Lemma 1 shows that we 
can drop from M all the v, such that v, e Q{rc,Uc)*. Further, define #M - 2f^i#v;. 
We proceed by induction on #M. If #M - 0, then all the words of M belong to 
Q{rc, UcT 0(fc, Wc), and we are done. If #M > 0, then there is v, e M such that 
V; - ajcr/Si, where ff,- e 0{rc,UcT, cr e 0(fc,Wc), and yS/ ^ s. Let g be the value 
written by o-, and let Vk+i = aiwdg). By Lemma 2, u is compatible with {vi, . . . , v^+i), 
and so there is v' e m || L(S^) \\ UJ^^j'v; in which the write cr of v,- occurs in v' imme- 
diately before the write of v^+i . We now let the writes occur in the reverse order, which 
amounts to replacing v,- by v'^ = a,- Uc(g)/3i and v^+i by v^^j = a; cr. This yields a new 
multiset M' - M e {v,) e {V;, v^^j) compatible with u. Since #M' - #M - 1, we then 
apply the induction hypothesis to M', obtain M and we are done. D 

Definition 5. For all g e §, let Lg - L(C^) n ^ir^, u^)* fdg). Define Sg be a LTS over 
GircUcJcWc) such that L(S g) = Pref(Lg ■ wdgT). Define the LTS N^ = D || 5^ || 
UAgfigS g which we call the simulation of N^. 

Lemma 4. Let u e L(D) and let M = {vi,. . . ,Vk] be a multiset over L(C^) f) 
QircUcY @(fc,Wc) compatible with u. Then u is compatible with a set S — {sg}g(:g 
where Sg e L(S g). 

Proof. Let us partition the multiset M as {Mgj^gg! such that Mg contains exactly the 
traces of M ending with fdg) or wdg). Note that some Mg might be empty. Each non- 
empty Mg is of the form Mg = {xifdg), X2Wc{g), . ■ . ,x„Wc(g)} where n > 1, and x,- G 
0irc, UcY for every I < i < n. Define M' as empty if Mg is empty, and M' as Mg 
together with « - 1 copies of x^wdg). The copycat lemma shows that u is compatible 
with ®gf:gM' . Let us now define the multiset M" to be empty if M' is empty, and the 
multiset of exactly n elements given by xifdg) and n - 1 copies of xiwdg) ^i M' is not 
empty. Again we show that u is compatible with ©gg^M" The reason is that the number 
n - 1 of actions wdg) in each M" does not change (compared to Mg) and each wdg) 
action can happen as soon asfdg) has occurred. 

Now define S consisting of one trace Sg for each g & @ such that Sg - sif M" - 0; 
and Sg - xifdg)wdg)'^^^ ii Mg consists of X]fdg) and « - 1 copies oi Xiwdg)- 

We have that u is compatible with S because the number of fdg) and wdg) actions 
in M" and Sg does not change and each wdg) action can happen as soon as fdg) has 



occurred. Note that it need not be the case that Sg e L{C^). However each Sg e L(S g) 
(recall that each L{S g) is prefix closed). D 

Corollary 1. Let u e L{D) and let M — [vi, . . . ,Vk} be a multiset over L(C^) compati- 
ble with u. Then u is compatible with a set S — {sg}g(:g where Sg e L(S g). 

In Lemmas 1,2,3 and 4 and Corollary 1 compatibility is preserved. We can further 
show that it is preserved following a given sequence of first writes. For example, in 
Lem. 3 if M is compatible with M following t then u is compatible with M following r. 

Lemma 5 (Simulation Lemma). Let t e T: 

L(N'^)nPr*(d ijf L(N^)r\P, + % . 

Proof. (=>): The hypothesis and the definition of N^ shows that there is A: > 1 such that 
Prn(L(D)\\L(S^)\\ miL(C^))^0. 

Therefore we conclude that there exists u e L{D) and M = {vi, . . . , v^) over L(C^) 
such that M is compatible with M following r. Corollary 1 shows that u is compatible 
following T with a set 5 = {^g]geg where Sg G L(Sg). Therefore we have Pj n (u || 
L(5^) II Wge@L(Sg)) + 0, hence that P^ n (L(D) || L(5^) || \AAg^gL{S g)) + and finally 
thatF^nL(Ar^)?t0. 

(<=): The hypothesis and the definition of N^ shows that P^ n (L(D) || L{S^) \\ 
\Alg(,gL{S g)') + 0. Hence we find that there exists u e L(D) and a set \x^g^g where Xg G 
L{S g) such that P^ n (m || L(S^) \\ UJ^gg^x^) ^ 0. The prefix closure of L(5^) shows that 
either Xg does not have a first write or Xg = Vgfc(g)Wc(gT^ for some Vgfdg) G Lg and ng G 
N. In the former case, that is Xg G ^(r^, Uc)*, Lemma 1 shows that discarding the trace 
does not affect compatibility. Then define the multiset M containing for each remaining 
trace Xg - Vgfc(g)wc(g)"'^ the trace Vgfdg) and ng traces Vgwdg). M contains no other 
element. Using a copycat-like argument, it is easy to show M is compatible with u and 
further that compatibility follows t. Finally, because Vgfdg) G L(C^) n 0(rc, Uc)* Qifc) 
and because C^ is the extension of C we find that every trace of M is also a trace of C^, 
hence that there exists k > 1 such that Pj n {L(D) || L(5^) || LiJiL(C^)) ^ 0, and finally 
that L(Ar^) C\Pr + %. n 

Let us now prove an equivalent safety condition. 
Proposition 1. A (D,C)-network N is safe iffL(N^) n Pr, = 0- 

Proof. From the semantics of non-atomic networks, N is unsafe if and only if L(N) n 
(i:*Wc(#)) + 0, equivalently, L(N^)n(iyc(#)) + (by definition of extension), which in 

turn is equivalent to L(A/'^)nPr, + 0(by definition of Pr,), if and only if L(Ar'^)nPr# ^ 
(by the simulation lemma). D 

3.2 Monotonicity 

Before stating the monotonicity lemma, we need some language-theoretic definitions. 
For an alphabet Z, define the subword ordering < c i7* x i7* on words as m < v iff m 
results from v by deleting some occurrences of symbols. Let L c £*, define S c L to be 
- cover of L if for every u e L there is v G 5 such that u < v; 



- support of L if for every u e L there is v e 5 such that v < u. 

Observe that for every u,v e S such that m < v: if 5 is a cover then so is 5 \ {u}, and if 
5 is a support then so is 5 \ {v). 

Recall that N^ - D \\ S^ \\ UAg^gS g. It is convenient to introduce a fourth, redun- 
dant component that does not change L(N^), but exhibits important properties of it. 
Recall that the leader cannot observe the reads of the contributors, and does not read 
the values introduced by useless writes. We introduce a local copy 5^ of the store with 
alphabet 0(rj, Wd,fc, w^) that behaves like S^ for writes and first writes of the contrib- 
utors, but has neither contributor reads nor useless writes in its alphabet. Formally: 

Definition 6. The leader store S^ is the LTS {E^, @^, 6j^, cq), 

- r^ = g(rd, Wdjc, Wc); 

- Q^ is the set of pairs (g, W), where g e QU {^o) cind W : ^ — > {0, 1); 

- Co is the pair (go, Wq), where Woig) - Ofor every g e ff; 

- 5^ has a transition (g, W) — >(g', W) where g' ^ Q iff one of the following condi- 
tions hold: a) a-Wd(g') and W — W; b) a-r^ig), g' - g, and W - W; c) a-fdg'), 
W(g') = 0, and W = W[W(g')/l]; d) a^wdg'), W{g') = 1, and W = W. 

It follows easily from this definition that L{S^) is the projection of L(S^) onto 2"^, 
and so L(5^) = L(S^) || L(S^) holds. Now, define DS^D\\S^,we find that: 
L(N')^L(D\\S^\\Wg^@Sg) def.5 

^L(D)\\L(S^)\\L(S^)\\ing,gL(Sg) 

= L(DS II S^ II ing,gSg) (1) 



Lemma 6 (Monotonicity Lemma). Let t e T and let Lj be a cover of L(DS) n P^- 
For every g E Q, let L be a support of Lg, and let S_ be a LTS such that L(S_ ) = 
PrefiLg ■ w:.(g)): 

(L(DS) n Pr) II L(S^) II ing,gL(Sg) *% iff U II L{S^) \\ WgegL{S_^) + . 

The proof of the monotonicity lemma breaks down into monotonicity for the con- 
tributors (Lemma 7) and for the leader (Lemma 9). 

Lemma 7 (Contributor Monotonicity Lemma). For every g e §, let L be a support 
of Lg, and let S_ be a LTS such that L(S_) — Pref(Lw*(g)). Let u e ^(r^,wj)* and 
T6 Y: 

(u II L(S^) II WgegL(Sg)) nPr^diffiu II L(S^) II WgegL(lg)) n P, ^ . 

Proof. (<=): It suflices to observe that since L c Lg we have L(S_ ) c L{S g) and 
we are done. (^): Since Lg c ^(r^, UcTfcig) and L c Lg we find that for every word 
w' G Lg\L there exists a word w € L resulting from w' by erasing symbols in 0{uc, re). 
Hence, Lemma 1 shows that erasing symbols in ^(m^, fc) does not affect compatibility. 
The proof concludes by observing that compatibility is further preserved for t, and we 
are done. n 

The leader monotonicity lemma requires the following technical observation. 



Lemma 8. Let t e T and L c QijcfcWcUc)* satisfying the following condition: if 
afcig)P\P2 e L, then af,{g)/3i w,(g)/32 e L. For every v, v' e P^ n 1(8^): 

ifv II L(5^) II L 7t and v' > v, then v' \\ L(5^) || L ^ . 



Because v, v' e PtC\L{S^ over alphabet E^ - Q(rd, Wd,fc, Wc) and v' > v we find that v 
can be obtained from v' by erasing factors that are necessarily of the form Wi^{g) r^ig)* 
or r^ig). In particular v, v' e Pj shows that Projg^f-^iv) - Proig^t^^iV) - t? The proof of 
Lem. 8 is by induction on the number of those factors. 

Lemma 9 (Leader Monotonicity Lemma). Let t e T and L c @{rc,fc, Wc, u^Y satis- 
fying: ifafc(g)/3i/32 e L, then afc(g)/3i Wc(g)/32 e L. For every cover L-, ofPrHLiDS): 
(Pr n L(DS)) II L(S^) II L ^ iff Lr II L(S^) || L ^ . 

Proof. (<=): It follows from Lj c (P^ n L{DS)). (^): We conclude from the hypothesis 
that there exists w e Pj r\ L(DS) such that w \\ L(S^) || L ^ 0. Since L^ is a cover 
Pr n L{DS), we find that there exists w' e L^ such that w' > w ans w' e P^ ^ L{DS). 
Finally, D>S = £) || 5^ shows that w, w' e P^ n L{S^), hence that w' im^^) || L ^t 
following Lem. 8, and finally that Lj \\ L(S^) || L ^ because w' e L^. D 

4 Complexity of safety verification of non-atomic networks 

Recall that the safety verification problem for machines Md and Mc consists in deciding 
if the (JM/)], [[Mc])-network is safe. Notice that the size of the input is the size of the 
machines, and not the size of its LTSs, which might even be infinite. We study the 
complexity of safety verification for different machine classes. 

Given two classes of machines D, C (like finite-state machines or push- 
down machines, see below), we define the class of (I),C)-networks as the set 
{(|D], |C])-network | D e D, C e C} and denote by Safety(D, C) the restriction of the 
safety verification problem to pairs of machines Mo e D and Mc e C. We study 
the complexity of the problem when leader and contributors are finite-state machines 
(FSM) and pushdown machines (PDM).'* In this paper a FSM is just another name for 
a finite-state LTS, and the LTS [[A] of a FSM A is A, i.e. |A] = A. We define the 
size |A| of a FSM A as the size of its transition relation. A (read/write) pushdown ma- 
chine is a tuple P - (Q, Q{r, w), F, A, jq, qo), where (3 is a finite set of states including 
the initial state qo, /" is a stack alphabet that contains the initial stack symbol jq, and 
A c(Qx F)x {@{r, w) U {A]) x (<3 x F*) is a set of rules. A configuration of a PDM P 
is a pair {q,y) e Qx F*. The LTS JP] over 0(r, w) associated to P has Qx F* as states, 
(^o,yo) as initial state, and a transition iq,yy) — *{q',y'y) ^ii (l,y,a,q',y') e A. Define 
the size of a rule (q, y, a, q',y') e zf as |/| H- 5 and the size |P| of a PDM as the sum of 
the size of rules in A. 

Determinism. We show that lower bounds (hardness) for the safety verification prob- 
lems can be achieved already for deterministic machines. An LTS T over a read-write 

^ Proj^,(w) returns the projection of w onto alphabet i7'. 

** We also define FSA and PDA as the automaton (i.e. language acceptor) counterpart of FSM 
and PDM, respectively. As expected, definitions are identical except for an additional accepting 
component given by a subset of states in which the automaton accepts. 
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alphabet is deterministic if for every state s and every pair of transitions s — >ii and 
s — >S2, if si + S2 then oi and 02 are reads, and they read different values. Intuitively, 
for any state of a store S, a deterministic LTS T can take at most one transition in 
»S II 7". A (D, C)-network is deterministic if D and C are deterministic LTSs. Given 
a class X of machines, we denote by dA" the subclass of machines M of A" such that 
|M] is a deterministic LTS over the read-write alphabet. Notice that this notion does 
not coincide with the usual definition of a deterministic automaton. 

The observation is that a network with non-deterministic processes can be simulated 
by deterministic ones while preserving safety; intuitively, the inherent non-determinism 
of interleaving can simulate non-deterministic choice in the machines. 

Lemma 10 (Determinization Lemma). There is a polynomial-time procedure that 
takes a pair (D, C) of LTSs and outputs a pair (ly, C) of deterministic LTSs such that 
the {D,C)-network is safe iff the (D' ,C')-network is safe. 

We prove the lemma by eliminating non-determinism as follows. Suppose D is 
non-deterministic by having transitions (q,rd{g),q') and (q,rd(g),q"). To resolve this 
non-determinism, we define D' and C by modifying D and C as follows: we add new 
states q\,q2,q^,qA to D and replace the two transitions (q,rd{g),q') and (<?, r^(g), <?") by 
the transitions {q, r^ig), q\), (?i, H'^(nd), qi), (qi, rd(0), qj), (q3,Wd(g), q'), (qi, rd(l), qd 
and {q4, Wdig), q")- Let ^0 be the initial state of C. We add two new states q and ^ to C 
and the transitions (qo,rc{nd),q)(q,WciQ),q)iq,Wc(l),qo)- Finally, we extend the store 
to accommodate the new values {0, l,nd). It follows that £)' has one fewer pair of 
non-deterministic transitions than £). Similar transformations can eliminate other non- 
deterministic transitions (e.g., two writes from a state) or non-determinism in C. 

4.1 Complexity of Safety Verification for FSMs and PDMs 

We characterize the complexity of the safety verification problem of non-atomic 
networks depending on the nature of the leader and the contributors. We show: 



Saf ety(dFSM, dPSM), Saf ety(PDM, FSM) 
Saf ety(dPDM, dPDM), Saf ety(PDM, PDM) 



coNP-complete 
PSPACE-complete 



Theorem 1. Saf ety(dFSM, dFSM) is coNP-hard. 

We show hardness by a reduction from 3SAT to the complement of the safety veri- 
fication problem. Given a 3SAT formula, we design a non-atomic network in which 
the leader and contributors first execute a protocol that determines an assignment to all 
variables, and uses subsets of contributors to store this assignment. For a variable x, 
the leader writes x to the store, inviting proposals for values. On reading x, contributors 
non-deterministically write either "x is 0" or "x is 1" on the store, possibly over- writing 
each other. At a future point, the leader reads the store, reading the proposal that was 
last written, say "x is 0." The leader then writes "commit x is 0" on the store. Every 
contributor that reads this commitment moves to a state where it returns every time 
the value of x is asked for. Contributors that do not read this message are stuck and do 
not participate further The commitment to 1 is similar. This protocol ensures that each 
variable gets assigned a consistent value. 
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Then, the leader checks that each clause is satisfied by querying the contributors for 
the values of variables (recall that contributors return consistent values) and checking 
each clause locally. If all clauses are satisfied, the leader writes a special symbol #. The 
safety verification problem checks that # is never written, which happens iff the formula 
is unsatisfiable. Finally, Lemma 10 ensures all processes are deterministic. 

Theorem 2. Saf ety(PDM, FSM) is in coNP. 

Proof. Fix a (D, C)-network N, where Pd is a PDM generating D - iPoj, and C is a 
FSM. Hence L(D) is a context-free language and L(C) is regular. Prop. 1 and Def. 5 (of 
N^) show that the (D, C)-network N is accepting iff L(£) || S^ \\ Wg^gS g) n Pr, + 0. 
Since C is given by a FSM, so is C^. Further, Lg - L(C^)r\0(rd, Uc)*fcig) has a support 
captured by those paths in C^ whose label ends hyfdg) and in which no state is entered 
more than once. Therefore if C^ has k states then the set of paths starting from the initial 
state, of length at most k + 1 and whose label ends with fdg) is a support, call it L , of 
Lg. Next, Lem. 7 shows that deciding L(D \\ S^ \\ lU gegS g) n Pr, ^ is equivalent to 
L(D II 5^ II ing,gPref(L^ ■ w.igT)) n Pr. * 0. 

Note that this last check does not directly provide a NP algorithm for non-safety 
because, due to the write records, 5 ^ is exponentially larger than |^| . So, we proceed by 
pushing down sequences of first writes and obtain the following equivalent statement: 
L(D) II (L(S^) n Pr.) II (ing,gL(Pref(L^ ■ WcigT)) n Pr.) * 0. 

Now, we get an NP algorithm as follows: (a) guess t e T# (this can be done in time 
polynomial in |^|); (b) construct in polynomial time a FSA Ai for L(S^)r\PT (Ai results 
from 5^ by keeping the |t| write records corresponding to t); (c) for each g & t, guess 
Zg e L (the guess can be done in polynomial time); (d) guess z e (lUgegZg) n Pj (this 
fixes a sequence of reads, useless writes and first writes of the contributors according 
to t); (e) construct in polynomial time a FSA A2 such that L(A2) is the least language 
containing z and if afc(g)f3i/32 e L(A2) then afc(g)/3iWc(g)P2 e ^(^2) (intuitively we 
add selfloops with write actions of 0(wc) to the FSA accepting z such that wdg) oc- 
curs provided /c(g) has previously occurred); (f) construct in time polynomial in |P£,| a 
context-free grammar (CFG) Go such that L(Gd) - LiPo)', ig) construct in polynomial 
time a CFG G such that L(G) - L(Gd) II L(Ai) \\ L(A2) (this can be done in time poly- 
nomial in |Go| + |Ai| -H IA2I as stated in Prop. 2, Sect. D); (h) check in polynomial time 
whether L(G) + %. U 

The complexity of the problem becomes higher when all the processes are PDMs. 

Theorem 3. Saf ety(dPDM, dPDM) is PSPACE-hard. 

PSPACE-hardness is shown by reduction from the acceptance problem of a polynomial- 
space deterministic Turing machine. The proof is technical. The leader and contributors 
simulate steps of the Turing machine in rounds. The stack is used to store configurations 
of the Turing machine. In each round, the leader sends the current configuration of 
the Turing machine to contributors by writing the configuration one element at a time 
on to the store and waiting for an acknowledgement from some contributor that the 
element was received. The contributors receive the current configuration and store the 
next configuration on their stacks. In the second part of the round, the contributors send 
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back the configuration to the leader. The leader and contributors use their finite state to 
make sure all elements of the configuration are sent and received. 

Additionally, the leader and the contributors use the stack to count to 2" steps. If 
both the leader and some contributor count to 2" in a computation, the construction 
ensures that the Turing machine has been correctly simulated for 2" steps, and the sim- 
ulation is successful. The counting eliminates bad computation sequences in which con- 
tributors conflate the configurations from different steps due to asynchronous reads and 
writes. 

Next we sketch the upper PSPACE bound that uses constructions on approximations 
of context-free languages. Those are detailed in the appendix. 

Theorem 4. Saf ety(PDM, PDM) is in PSPACE. 

Proof. Let Po and Pc be PDMs respectively generating D = iPoj and C = |Pcl, 
hence L{D) and L(C) are context-free languages. Proposition 1 shows that the (D,C)- 
network N is accepting iff L(N'^) n Pr, ^ iff L(i)S || S^ || lUgegSg) r\ Pr, * ^ 
(by (1)). From the construction of the Simulation Lemma, for each g ^ Q the language 
Lg - L(C^) n 0(rd, Uc)*fcig) is context-free, and so is L(S g). Given Pc we compute in 
polynomial time a PDA Pg such that L(Pg) = Lg. Next, 
L(DS\\S^\\Wg^gSg)nPr,^(Ii 

iff (L(DS) n Pr,) II L(S^) II ing,gL(Sg) + 

iff (LiDS) n Pr.) II L{S^) II nig^ePref(L{Pg) ■ wAgf) + (2) 

iff (UrET.ir) II L{S^) II mg^ePref(L{Pg) ■ w,(g)*) + (3) 

(2) follows from definition of 5^ and Lg - L{Pg)\ (3) follows from Lem. 6 and by 
letting Lj and L{Pg) be a cover and support of L(T>S) n Pj and L(Pg), respectively. 

Next, for all g e ^ we compute a FSA Ag such that L{Ag) is a support of L(Pg). Our 
first language-theoretic construction shows that the FSA Ag can be computed in time 
exponential but space polynomial in \Pg\. Then, because L{S^) is a regular language, 
we compute in space polynomial in \Po\ + \Pc\ ^ FSA Ac such that L(Ac) = L(S^) \\ 
lUgegPref(L(Ag) ■ wdg)*)- Hence, by (3) and because of T# (guessing and checking 
re T# is done in time polynomial in |^|) we find that it suffices to prove L^ \\ L(Ac) + 
is decidable in space polynomial in \Pd\ h- |PcI- 

To compute a cover L^ of L(DS) n Pr, we need results about the A;-index approx- 
imations of a context-free language [4] . Given a CFG G in CNF and k > 1 , we define 
the k-index approximation of L(G), denoted by L^'''\G), consisting of the words of L(G) 
having a derivation in which every intermediate word contains at most k occurrences of 
variables. We further introduce an operator x which, given G and FSA A, computes in 
polynomial time a context-free grammar G x A such that L(G x A) = L(G) \\ L(A). We 
prove the following properties: 

1. lP'"\G) is a cover of L{G), where m is the number of variables of G; 

2. for every FSA A and fc > 1, L^^^XG x A) = L^I'\G) \\ LiA); 

3. L^''\G) ^ on input G, k can be decided in NSPACE(fe log(|G|)). 

Equipped with these results, the proof proceeds as follows. Let Go be a context-free 
grammar such that L(Gd) - L(Pd). It is well-known that Go can be computed in time 
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polynomial in \Po\. Next, given t, we compute a grammar G]j recognizing P^ n L{DS) 
as follows. The definition of DS shows that P^ n L{DS) = L{D) \\ (L(S^) n Pr). 
We then compute a FSA 5^ such that L(5^) = L(S^) n P^. It can be done in time 
polynomial in \Pd\ + \Pc\ because it is a restriction of 5^ where write records are totally 
ordered according to t and there are exactly |t| of them. Therefore we obtain, P^ n 
L(DS) = L(Gd) II i(5Jj) because L(Gd) = L(D). Define G^ as the CFG Go x 5J, 
which can be computed in polynomial time in Go and 5^, hence in \Pd\ + \Pc\- Clearly 
L(Gl,) = P^ n L(DS). Further, L'-'^KG^,) is a cover of LiG]^) for some fe < p(\Pd\), where 
;? is a suitable polynomial. 

By item 2, LW(Gy || LiAc) = ^'''(G], x Ac), where the grammar G^ x Ac 
can be constructed in exponential time and space polynomial in \Po\ + \Pc\- Now we 
apply a generic result of complexity (see e.g. Lemma 4.17, [3]), slightly adapted: given 
functions /i , /i : 2^* — > ^* and g: Z* x£* — > iT* if /■ can be computed by a sy; -space- 
bounded Turing machine, andg can be computed by a i^,(|xi|)-i^2(|x2|)-space-bounded 
Turing machine, theng(/i(x),/2(x)) can be computed inlog(|/i(x)| -i- |/2(x)|)-i- s/, (|x|) + 
Sf2(\x\) + Sgt(\fi(x)\) ■ Sg^(\f2(x)\)) space. We have 

- /i is the function that computes GJj x Ac on input (Pd, Pc), and /2 is the function 
that on input Pjj computes 3m, where m is the number of variables of G]j. So the 
output size of /i is exponential in the input size, while it is polynomial for /a. 
Moreover, Sf. for / = 1, 2 is polynomial. 

- g is the function that on input (G]j x Ac, 3m) yields 1 if L^^'"\G]j x Ac) + 0, and 
otherwise, where m is the number of variables of G^. By (3) i^, is logarithmic, 
and ig2 is linear. 

Finally, the generic complexity result shows that go f can be computed in space poly- 
nomial in IPol -H \Pc\, and we are done. D 

We note that our three language-theoretic constructions (the construction of au- 
tomaton Ay that is a cover of UP^) of size at most exponential in \Pg\, and results 1, 
2, and 3 in the proof above) improve upon previous constructions, and are all required 
for the optimal upper bound. Hague [17] shows an alternate doubly exponential con- 
struction using a result of Ehrenfeucht and Rozenberg in place of Theorem 6. This gave 
a 2EXPTIME algorithm. Even after using our exponential time construction for A^, 
we can only get an EXPTIME algorithm, since the non-emptiness problem for (gen- 
eral) context-free languages is P-complete [18]. Our bounded-index approximation for 
the cover and the space-efficient emptiness algorithm for bounded-index languages are 
crucial to the PSPACE upper bound. 



4.2 The bounded safety problem 

Given ^ > 0, we say that a (D, C)-network is k-safe if all traces in which the leader and 
each contributor make at most k steps are safe; i.e., we put a bound of k steps on the 
runtime of each contributor, and consider only safety within this bound. Here, a step 
consists of a read or a write of the shared register The bound does not limit the total 
length of traces, because the number of contributors is unbounded. The bounded safety 
problem asks, given D, C, and k written in unary, if the (D, C)-network is fe-safe. 
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Given a class of (D,C)-networks, we define BoundedSafety(D, C) as the restriction 
of the A;-safety problem to pairs of machines Mp e D and Mc e C, where we write k in 
unary. A closer look to Theorem 1 shows that its proof reduces the satisfiability problem 
for a formula (p to the bounded safety problem for a (D,C)-network and a number k, all 
of which have polynomial size |0|. This proves that BoundedSa£ety(dFSM,dFSM) 
is coNP-hard. We show that, surprisingly, bounded safety remains coNP-complete for 
pushdown systems, and, even further, for arbitrary Turing machines. Notice that the 
problem is already coNP-complete for one single Turing machine. 

We sketch the definition of the Turing machine model, which differs slightly from 
the usual one. Our Turing machines have two kind of transitions: the usual transitions 
that read and modify the contents of the work tape, and additional transitions with labels 
in 0(r, w) for communication with the store. The machines are input-free, i.e., the input 
tape is always initially empty. 

Theorem 5. BoundedSaf ety(TM, TM) is coH? -complete. 

Proof. Co-NP-hardness follows from Theorem 1. To prove BoundedSa£ety(TM, TM) 
is in NP we use the simulation lemma. Let Mi,,Mc,k be an instance of the problem, 
where Mo, Mc are Turing machines of sizes no, tic with LTSs D = iMoj and C - 
|Mc], and let no + nc - n. In particular, we can assume \Q\ < n, because we only need 
to consider actions that appear in Mo and Mc. If the (D, C)-network is not A:-safe, then 
by definition there exist u e L(£)) and a multiset M - {vi, . . . ,Vk] over L{C^) such that u 
is compatible with M following some t e T#; moreover, all of m, vj , . . . , v„, have length 
at most k. By Cor 1 and Lem. 1 (showing we can drop traces without a first or regular 
write), there exists a set 5 = {.s^, , . . . , SgJ with m <\0\ < n, where Sg^ e Lg. ■ wdgi)*, 
and numbers i\, . . . ,im such that u is compatible with {sg, wdgiY', • • • , *g„ WcigmY'"] 
following T. Since each of the Sg^ is obtained by suitably renaming the actions of a 
trace, we have \sg.\ < k. Moreover, since the wdgjY' parts provide the writes necessary 
to execute the reads of the Sg sequences, and there are at most k ■ (m + 1) < k ■ (n + 1) 
of them, the numbers can be chosen so that /i , . . . , /,„ < 0{n ■ k) holds. 

We present a nondeterministic polynomial algorithm that decides if the (D,C)- 
network is A;-unsafe. The algorithm guesses t e T# and traces m, s^,, . . . , Sg^ of length 
at most k. Since there are at most n + 1 of those traces, this can be done in polynomial 
time. Then, the algorithm guesses numbers i\,. . . , i,n- Since the numbers can be cho- 
sen so that ii,. . . ,i„ < 0{n ■ k), this can also be done in polynomial time. Finally, the 
algorithm guesses an interleaving of u, Sg, wdgiY^ . . . ,Sg^ wdgm)''" and checks com- 
patibility following T. This can be done in OirP'-k) time. If the algorithm succeeds, then 
there is a witness that (L(£)) || L{S^) || lU g(^gL{S g)) r\Pj + % holds, which shows, by 
Prop. 1 and Def. 5 (of N^) that the (D, C)-network is unsafe. D 

A TM is poly-time if it takes at most p{n) steps for some polynomial p, where n is 
the size of (the description of) the machine in some encoding. As a corollary, we get 
that the safety verification problem when leaders and contributors are poly-time Turing 
machines is coNP-complete. Note that the coNP upper bound holds even though the 
LTS corresponding to a poly-time TM is exponentially larger than its encoding. 
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A Combinatorics 

Proof (ofLem 8). Because v, v' e Pj n L(S^) over alphabet 2"^ - Qir^, Wd,fc, Wc) and 
v' >: V we find that v can be obtained from v' by erasing factors that are necessarily 
of the form w*(g) r^ig)* or r^ig). In particular v, v' e Pj shows that Pfojg(f^^(v) = 
Projg(fJv') = T.5 

The proof is by induction on the number m of those factors. If m = then v' - v 
and we are done. Now, let m > and let V| be the trace which results from erasing one 
factor cr e (0(wd, Wc)Q{rdT) U {Qirii)) from v'. That is v' - v'icrvi where v! v? = v-|- > v. 
Without loss of generality we can assume that if cr ^ @{rd) then the first symbol of v? is 
a write action (it belongs to @{fc, Wc, w^/)). Also observe that by S^, if cr e ^(r^) then 
the last write in vj writes the value needed by cr. 

Since v' e Pr r\ L(S^), it is routine to check that V| e P^ n L(S^). Therefore we 
conclude from the induction hypothesis and Vf > v that there exists a trace W| e L(S^) \\ 
L such that v-|- || w-\- + 0, equivalently that Proj^^Eiw^-) - v-|- since X^ c i;^. Observe that 
w-|- can be divided into wlwi such that Pro/^-^Cwi) - vi for / = 1,2. Let wi be the 
(possibly empty) suffix of vvl starting at the last occurrence of an action of 2"^ and let 
w? be the prefix of w? which ends at the first occurrence of an action of 2"^. Then L(S ^) 
shows that wlwi belongs to QircTQiucY . 

Let us now consider the added factor cr. First, let us notice that Proj^Eiwlcrwi) = 
v.[crv? = v'. Thus it suffices to show that wlcrw? e L(S^) \\ L. 

Now, if cr e 0(rd), we can choose wl and w? such that vvl = s. Notice that as for 
vi and v?, then the last write that occurs in wl writes the value needed by cr and so 
wlcrvv? e L(S^). Hence we find that wicrw? e L(S^) \\ L because the alphabet of L is 
disjoint from Qirj)- 

On the other hand if cr ^ Q{rd) we can choose wl and w? such that w\ - s. Then 
cr = w*{g)y'd(g)^ for some / e N. Also wjcrw^ e L(S^) because, as assumed above, the 
first symbol of w? is a write action. 

Finally, if cr = Wd(g)rd(gy we find that wlcrw? e L(S^) \\ L because the alphabet 
of L is disjoint from @{wd, fd). Else if cr = Wc(g)rd(gy we find, by S^, that/c(^) must 
occur in vvl, hence that wdg) can be matched in L following the hypothesis on L. D 



B coNP lower bound 

Proof (of Theorem 1). We give a reduction from 3SAT to the complement of the safety 
verification problem. Given a 3SAT formula with n variables and m clauses, we con- 
struct a deterministic leader D and a deterministic contributor C such that the (D, C)- 
network writes a special symbol # iff the formula is satisfiable. The leader uses the 
contributors to guess and store an assignment, and then checks if each clause is satis- 
fied. 



' Proj^,{w) returns the projection of vv onto alphabet i7'. 
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Gadget to guess and retrieve a bit. The reduction uses the following protocol between 
the leader and the contributors to guess a bit and maintain the guess consistently. To 
assign a value to bit, the leader writes bit to the global store. The contributors who 
read bit from the store then write consecutively propose-bit-is-/, / = 0, 1, on the 
store. The leader reads the store at some (non-deterministic) point, and reads the last 
write by one of the contributors proposing either or 1. Ifitreads propose-bit-is-8 
(the 1 case is identical), it writes back that it commits to setting the bit to (writing 
commit-bit-is-Q). Contributors who read cormnit-bit-is-Q move on to the next 
phase, where they deliver bit-is-0 each time they are asked the value of bit. That is, 
they wait to read a get-value-of-bit message, and reply with bit-is-Q. 

Similarly, if the leader commits to a 1, contributors who read the message come to 
the consensus that the bit is 1. Contributors who miss the commit message are stuck. 
This protocol ensures that the leader and contributors can reach consensus on the value 
of a bit, and even though they are deterministic, the value of the bit is chosen non- 
deterministically, based on when the leader reads a value (propose-bit-is-/, / - 0, 1) 
from the store. Notice that an arbitrary number of contributors can participate and po- 
tentially overwrite each other, but the bit is fixed to a chosen value. Reduction from 

3SAT. The leader uses the above protocol to "assign" non-deterministically chosen con- 
sensus values to each variable xi, . . . ,x„. Then, it checks sequentially that each clause 
is satisfied by this assignment. To do this, it gets the literals from the contributors and 
checks if the clause is satisfied. To get the assigned value to a variable x, the leader 
writes get-value-o£-x on the store. The contributors that are storing an assignment 
to X (i.e., those who completed the consensus protocol for x) and who read this message, 
write the consensus value (using values x-is-Oorx-is-1). Even if several contributors 
write, they write the same value. 

Suppose the formula is satisfiable. Then, there is an execution of the protocol where 
the contributors reach a consensus for each bit corresponding to a satisfying assignment, 
and the leader succeeds in checking all clauses. Then, the value # gets written to the 
store and the (D, C)-network is accepting. On the other hand, if the formula is not 
satisfiable, then the leader never succeeds checking all clauses and # never gets written. 
Note that the size of D and C is 0(m + n) and that they are deterministic. D 

C PSPACE lower bound 

Proof (of Theorem 3). We give a reduction from the acceptance problem of a linear 
space-bounded deterministic Turing machine to the complement of the safety verifica- 
tion problem. Fix a deterministic TM M that on input of size n uses at most n tape cells 
and accepts in exactly 2" steps. We are given an input x and want to check if M accepts 
X. An accepting run is a sequence of TM configurations cq —> ci —»...—> C21., where 
Co is the initial configuration (the input x is written on the tape, the head points to the 
leftmost cell, and the TM is in its initial state), there is a transition of the TM from c,- 
to Ci+i for / = 0, ... ,2" - 1, and 02" is accepting. Following the above assumptions, 
configurations of M can be encoded by words of fixed length. 

We define a (D, C)-network that simulates M and such that D - [[Pol and C = JPcl 
where Pd and Pc are dPDMs. The leader and the contributors co-operatively simulate 
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computations of M using their stack, and also use the stack to count up to 2" steps. We 
start by describing the basic gadgets used in the simulation. 

Counting to 2" using n stack symbols. We show how a contributor can use its stack 
to count down from 2". Consider a stack alphabet of with n + 2 symbols {Iq, . . . , l„) U 
{$), where $ is a special bottom-of-stack marker. Given a stack over this alphabet, the 
contributor PDM, provided the top of the stack is I, for some < i < n, performs a 
decrement operation defined as follows: 

1. While the top of the stack is I, for some / > 0, do pop(l,) ; push(l,_i) ; push(l,_i) ; 

2. pop(lo) and return; 

Suppose initially the stack contains l„$ (the bottom of the stack is to the right). Then, we 
reach a stack with $ on the top exactly after popping Iq 2" times, that is after performing 
2" times the decrement operation. 

Computing one step of the TM. In the construction, we simulate one step of the M by 
sending a configuration from the leader to contributors, and then sending back the next 
configuration from contributors to the leader. 

Assume the reverse of a configuration of the Turing machine is stored as a word w 
of length n in the stack of the leader and the stack of the contributors is empty. We want 
to ensure that at the end of the protocol, the stack of the leader contains the reversal of 
a successor configuration of M, and the stack of the contributor is again empty. 

We use the following protocol. The leader and contributors use their finite set of 
control states to count till n. The leader pops one symbol of w at a time from its stack, 
writes it on to the global store, and waits for an acknowledgment from some contributor 
that the symbol has been received. Conversely, the contributors read the letters of w one 
symbol at a time from the global store. Moreover, using its finite state, the contributors 
compute the successor configuration of the configuration that is received from the leader 
and store it on to their stacks. Additionally, a contributor sends an acknowledgment for 
the receipt of each symbol read from the leader. 

After n steps of the leader and contributors, the stack of the leader is empty and the 
stack of the contributor contains w' where w' can be reached from vv^ by executing one 
step in M. 

Notice that at the end of this part of the protocol, in spite of asynchronous reads and 
writes, the leader is certain that all n symbols were received in order, but not necessarily 
by the same contributor 

The second part of the protocol sends this configuration back from a contributor 
to the leader. Again, the leader and the contributor use their finite state to count till n. 
The contributor sends n symbols one at a time to the leader, and waits for an acknowl- 
edgement to check that the leader read the same symbol it transferred. After n steps, 
the leader's stack contains the reverse of w' and the contributor's stack is again empty. 
Moreover, the contributor is certain that the entire configuration has been correctly re- 
ceived by the leader. 

Notice that even in the presence of non-atomic reads and writes, if the leader and 
some contributor successfully reach the end of the protocol, then the leader and that 
particular contributor has faithfully simulated one step of the machine. However, we 
cannot ensure that the same contributor participated in one whole round of the protocol, 
always reading and writing the latest values and faithfully simulating one step of the 
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Turing machine. For example, it is possible that several contributors, that have simu- 
lated the Turing machine for different number of steps, participate in the protocol. The 
simulation catches these discrepancies by counting, as described below. 

The reduction. Initially, all contributors push l„$ onto their stacks. The leader pushes l„$ 
onto the stack, and additionally, the reverse of the starting configuration of the Turing 
machine. 

Then, the leader and contributors execute the protocol described above. At the end 
of the first part of a round, the leader perform a decrement. At the end of the second 
part of a round, the contributor perform a decrement. 

The network accepts the computation (e.g., by outputting a special symbol #) if (1) 
both the leader and some contributor count up to 2", and (2) at that point, the Turing 
machine is in an accepting configuration. 

Notice that if the leader interacts with the same contributor for 2" rounds, then both 
of them will simultaneously reduce the counter on the stack to $ at the same time, and 
thus, would have correctly simulated the Turing machine for 2" steps. So, if the stack 
encodes an accepting configuration, the Turing machine accepts. 

Conversely, if the leader interacts with multiple contributors in different rounds, 
then there will not be any contributor whose count reaches 2" simultaneously with the 
leader All such computations are not faithful simulations of the Turing machine and 
none of them therefore lead to accepting the computation. 

Finally, we note that in the above reduction, all processes are deterministic ma- 
chines, n 



D Language Theoretic Constructions 

We now complete the proof of Theorem 4 by providing the language-theoretic construc- 
tions. We assume familiarity with basic formal language theory [22]. 

A context-free grammar (CFG) is a tuple G - {X,E,'P,Xo) where A" is a finite set 
of variables containing the axiom Xq, E is an alphabet, !P c A" x (2* U X)* is a finite 
set of productions (the production {X, w) may also be noted X — > w). The size of a 
production X -^ w \s\w\ + 2. The size \G\ of a CFG G is the sum of all the sizes of 
productions in P. A CFG G = (A,2',!P,Xo) is in Chomsky normal form (CNF) iff 
f c (A X (i: U X^)) U {(Xo, e)). A CFG can be converted to CNF in time polynomial in 
its size. 

Given two strings m, v e (2" U X)* we define a step relation m ^ v if there exists a 
production (X, w) eV and some words y, z e (Z" U A")* such that u - yXz and v = ywz- 
A step is further said to be leftmost if y e E* , that is the production is applied on the 
leftmost variable of u. We use ^* to denote the reflexive transitive closure of ^. The 
language of G is L{G) - {w e E* \Xq ^* w) and we call any sequence of steps from 
Xq to w G iT* a derivation. A derivation is leftmost if it is a sequence of leftmost steps. 

Given a CFG with relation ^ between strings, for every fe > 1 we define the sub- 

(k) (k) 

relation =^ of ^ as follows: m =^ v iff m ^ v and both u and v contain at most k 

(k) (k) 

occurrences of variables. We denote by =>* the reflexive transitive closure of =*. The 
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,,, (k) 

k-index language of G is U '(G) - {w e X* \ Xq =>*w] and we call the sequence of 
steps from Xq to w € £* a k-index derivation. 

(k) (k+1) (k-\) (k) 

The following properties holds: =>c > for all k > 1; if B =>*w then BC =^ 

(k) 

"wC; moreover, if BC =>*w, then there exist w\,W2 such that w - w\W2 and either (/) 

(t-l) (*:) (H) (k) 

B =^*w\, C =>*W2, or (//) C =>*W2 and B =>*wi. 

Asynchronous product of CFGs and FSAs. Given a CFG G and a FS A A, we now define 

a CFG G xA such that L{G x A) = L{G) \\ L(A). Without loss of generality, we assume 

the set of accepting states of A is a singleton. We further show that the fc-index language 

of G X A is the asynchronous product of the fe-index language of G and the language of 

A. 

Definition?. Given a CFG G = {X,Eg,'P,XQ) in CNF and a FSA A = 

(£a,Q,S,q(),lqf\), we define G x A as the CFG G^ = (/V^,2"x,!P'°,Xq). First replace 
in G every production of the form X — > cr(E Zg U {e)) by two productions X — > cr± and 
± ^ s where ± is a variable not in X. This modified grammar is again referred to as 
G^(X,Zg,'P,Xo). 

Then define G'~' = (X'',i:^,P'^,X'^) as follows: 

- X'^^QxXxQ;S^^EgVJ E^; ^,T = (^0,^0, ?/); 

- f^ contains no more than the following transitions: 

• ifX -> cr^ e V and cr i Sa then {q, X, q') -> cr{q, ±, q') e V^ 

• ifcr i Eg and (q, cr, q') e 5 then (q, X, q") — > a-{q' , X, q") e "P^ 

• ifX — > a-± e f, (q, cr, q') e 6 and cr + s then {q, X, q") — > o-{q' , ±, q") e f^ 

• ifX^ YZePthen{qi,X,q2}-^ {quY,q'}{q' ,Z,q2} eP"^ 

• ifqeQ then {q, ±,q) -^ seP^ 

Proposition 2. Let G, A and G"^ as in def 7. We have L!-''\G x A) = L^''\G) \\ L{A) 
for every k > \, hence L(G x A) — L(G) \\ L(A). Moreover, G^ is computable in time 
polynomial in \G\ + \A\. 

(k)* 

Proof It suffices to show that for each q,q' e Q, X e X and k > I: {q,X, q') => w iff 

(k)* w 

w e w" \\ w^ and X => w* in G and q — >q in A where w" results from w by erasing 
silent actions. From Def. 7 it is clear that G'^ is computable in time polynomial in \G\ 

and |A|. D 

Computing a FSA supporting L(G). We first show that, given a CFG G, one can con- 
struct a FSA accepting a support of L(G) and whose size is at most exponentially larger 
than the size of G. 

Theorem 6. Given a CFG G — (X, E, P, Xq) in CNF with n variables, we can compute 
a FSA A with (9(2"'°s(n)) ^i^ig^ ^^^/j f/j^^ ^(^-j /^ ^ support ofL(G). 

The proof of Theorem 6 requires the following technical lemma. 

Lemma 11. Let G = (X,E,P,X,) be in CNF and D: Xq ^* v e E* a leftmost 
derivation for some Xq e X. There exists v' < v and a leftmost n-index derivation 

(«) 
D : Xq =>*v , where n is the number of distinct variables appearing in D. 
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Proof. By induction on the number m of sequences of steps of the form X ^* wXa ^* 

ww'a with w + E occurring in D. 

Basis, m = 0. The proof for this case is by induction on the number n of distinct 

variables appearing in D. 

Basis, n - \. Because G is in CNF and the assumption m-Q,D necessarily is such 

(«) 
that Xq ^ V e Z. Hence setting v' = v we find that Xq =**v' which concludes the case. 

Step, n > \. Because G is in CNF and the assumption m = 0, it must be the case 

that D has the following form Xq ^ BC ^* w\C ^* w\W2 - v. Moreover m - 

shows that Xo does not appear in the subsequence of steps D\ : B ^* wi and D2 : C ^* 

W2. The number of distinct variables appearing in Di and D2 being at most n - 1 we 

conclude, by induction hypothesis, that there exists leftmost (n - l)-index derivations 

(n-l) (n-1) 

Z)j : B =>*w\ and Dj: C =>*W2 with WjiVj < w\W2 - v, hence that there exists a 

(n) (n) (n) 

derivation D : Xq =>*BC =>*w\C =>*w\W2 - v such that v < v and we are done. 

Step, m > 0. Therefore in D there exists some variable X such that X =>* wXa ^* 
ww'a and w ^ e. Define the derivation D' given by D where the above subsequence 
of steps is replaced by X ^* w'. Clearly we have that the word v' produced by D' 
is a subword of v, the word produced by D. Moreover the above transformation on 
D allows to use the induction hypothesis on D', hence we find that there exists there 

(n) 

exists a leftmost n-index derivation D" : Xq =>*v" and v" < v' and we are done since 

v" <v'<v. n 

Proof (of Theorem 6). From Lem. 11 it is easy to see that the words given by 
the leftmost n-index derivations is a support of L{G). Recall that G is in CNF. 
Next we define a FS A A = (2", Q, 6, qo, F) such that Q = {weXJ \0< j < n}; 
ii) 6 = {(aw,y,/3w) \ (a,yfi) eP Aj € XU {s}]; Hi) qo - Xq; iv) F = {s}. It is easy 
to see that A simulates all the leftmost sequence of steps of index at most n and accepts 
only when those corresponds to n-index leftmost derivations, hence that L{A) is a sup- 
port of L(G). Also since n = \X\, Q has 0(n") states, or equivalently 0(2"'°s("'). D 

From the construction, it is clear that there is a polynomial-space bounded algorithm 
(in \G\) that can implement the transition relation of A, that is, given an encoding of a 
state of A, produce iteratively the successors of the state. 

Covering Context-free Languages by Bounded-Index Languages. Our second construc- 
tion shows that, given a CFG G, we can construct an (9(|G|)-index language that is a 
cover of L(G). 

Given a CFG G = (X, E, V, Xq) and X,Y ^ X, we say that Y depends on X if G has 
a production X — > aVp for some a,/3 e (Xu E)*, or if there is a variable Z such that Y 
depends on Z and Z depends on X. A strongly connected component (SCCs) of G if a 
maximal subset of mutually dependent variables. 

Theorem 7. Let G — {X, S, V, Xo) he a CFG in CNF with n variables and k SCCs. 
Then L("+2*)(G) is a cover of L(G). 

The proof of Theorem 7 uses the following technical lemma which follows from the 
fact that the commutative images of L(G) and L*"^''(G) coincide [13]. 
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Lemma 12. Let G — {X, S, V, Xo) he a CFG in CNF with n variables. For every a e Z, 

(«+i)* 
ifXo ^* w a vfor some w,v e E* , then Xq > w av for some w , v e E* . 

Proof (of Theorem 7). Let w € L(G). \iw - s, then since G is in CNF, we have Xq ^ e. 
So, w is also in L'^"^^*'(G). Hence, assume w ?i e. We prove by induction on k that w is 
a subword of some W e L*"^^'^'(G). 

Basis, k - 1. We proceed by induction on |w|. Let w = a for some a e E. We 

(1) 
conclude from a e L(G) and G is in CNF that Xq ^ a, hence that Xq =>*a and finally 

that a e L'^"+^*'(G) and we are done. If w = av for some v i^ s then Xq ^ ^1^2 ^* ^ v 

(«+i) 
for some Xi,X2 e A". By Lemma 12, Xi =^*vi for some vi > a, and by induction 

(n+2) (2) (n+2) (n+2) 

hypothesis X2 > *V2 for some V2 > v. So we get Xo =^ ^1^2 =^*ViX2 =^*viV2 

(n+2) 

and taking w - v\V2 we have Xq ==^*w > w. 

Step, k > I. Let J/ c A" be the set of variables of a bottom strongly connected 
component of G, and let Pi/ c !P be the productions of G with a variable of J/ on the left 
side. For every Fe J/, let Gy = (J/,2',!Pj/,y); further, let G' = (A\J/,ruJ/,!P\!Pj/,Xo). 
Since w e L(G), there exist derivations Xq ^* wiYiW2. ■ . WyYrWr+i in L(G') and F, =>* 
Vi in L(Gy.) for every / = 1, . . . , r such that wivi . . . WrVptVr+x = w- Since G' has (A: - 1) 

O'l) 
SCCs, by induction hypothesis there is Xq => *w\Y^W2 ■ • ■ w,Yjw^^^ in L(G ), where 

i\ - n - |J/| + 2{k - 1) and such that v/^Y'^v/^ . . . w'tY'^w'^^^ > w\Y\W2 ■ ■ • WyYrWr+i- In 

particular we have Y[ . . .Y', > Yi . . . Y^ which implies that there exists a monotonic 

injection h: {1, . . . ,r) — > {1, . . . ,f) such that Fw^., = F, for all / e {1, . . . ,r). Since every 

Gy has one strongly connected component, for every j - 1, . . . , r there is v' > Vj such 

fe) * 
that Fw ., - Yj =^ v', where (2 = l-i^l + 2. On the other hand, for every { not in the 

('2) * 
image of h there also is some word v'^ such that F^ ^ v'^, where /2 = l-i^l + 2. 

So we have 

((1) , , , , , , , 

Xq =^ wJ^w^Y^-.-wJiW^^^ 

=> w^v^w^i...WtYtW^^^ 



(h+h). 



('l+'2)„ 



..w\Y,w\ 



r+l 



(n\-lk) 

Let w' = w'jv'j . . . wjvjwj^j. Since i\ + i2 - n + 2k, we get Xq > *w' > w, and we are 

done. n 

Checking Emptiness of k-index languages. Finally, we show that LP^\G) ^ is de- 
cidable in NSPACE(fclog(|G|)). In contrast, non-emptiness checking for context-free 
languages is P-complete as shown by Jones [18]. 

Theorem 8. Given a CFG G in CNF and k>\, it is in NSPACE(/tlog(|G|)) to decide 
whether L^''\G) + 0. 



23 



Proof. We give a non-deterministic space algorithm. The algorithm, called query, takes 

two parameters, a variable X e X and a number ( >\, and guesses an ^-index derivation 

of some word starting from X. To do so, the algorithm guesses a production (X, w) eV 

with head X. If X —> cr is chosen, for cr e Z" U {e), it returns true. If X — > BC is chosen, 

the algorithm non-deterministically looks (using a recursive call) (i) for an {{- l)-index 

derivation from B and an ^-index derivation from C, or (ii) for an (^- l)-index derivation 

from C and an /'-index derivation from B. When ^ = or a recursive call returns false, 

then query returns false. 

We show the following invariant: query{(,X) has an execution returning true iff 
(t) 
X =^*w for some w e Z*. It follows that query(k,XQ) returns true iff L^" '(G) + 0. The 

right-to-left direction is proved on the number m of steps in a bounded-index derivation. 

(0 
If m - I then we have X => w with £ - I and query(i, X) returns true by picking 

(X, w) e p. If m > 1 then the sequence of steps is as follows X => BC =>*w where 

(c-i) (() (e-i) ({) 

{ > 2. From there either B =^*wi, C =^*W2, or C =^*W2 and B =^*w\ where 

w - w\W2 holds. Let us assume the latter holds (the other case is treated similarly). 

C-i) W 

Then we have C =^*W2 and B =^*w\ and both sequence have no more than m - \ 

steps. Therefore the induction hypothesis shows that query(( - 1,C) and query{(,B) 
return true, and so does query{{, X) by picking {X, BC) e V. 

The left-to-right direction is proved by induction on the number m of times produc- 
tions are picked in an execution of query that returns true. If m = 1 then ( > \ and a 
production {X, cr) e P where cr e 2" U {e) must have been picked, hence the deriva- 

(0 
tion X =^ cr.lf m > I, query recursively called itself after picking {X,BC) e f. Let 

us assume case (i) was executed ((ii) is treated similarly). Following the assumption 

both calls query{£ - \,B) and query{{, C) return true (hence { > 2) and are such that 

productions are picked at most m - 1 times. Next, the induction hypothesis shows that 

B =>*wi and C => W2 for some wi and W2- Finally, X — > BC of P and ( > 2 shows 

C) (0 (() 

that X =* BC =>*WiC =>*WiW2 and we are done. 

It remains to show that query{k,X()) runs in NSPACE(A:log(|G|)). Observe that for 

each non-deterministic choice (i) or (ii), there is one recursive call query(B, ^ - 1) or 

queryiC, I - 1). The other call (e.g., to query(C, €) in case (i)) is tail-recursive and can 

be replaced by a loop. Since the index that is passed to that recursive call decreases 

by 1 and query returns false when the index is 0, we find that along every execution 

at most k stack frames are needed and each frame keeps track of a grammar variable 

which can be encoded with log(|G|) bits. Hence we find that LP^\G) + can be decided 

inNSPACE(ytlog(|G|)). D 
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